Facebook Miscreants Dealt a Temporary Smackdown

After more than a week of harassment by goofballs spamming links, Facebook users can breathe a sigh of relief that, for now, at least one source of trouble has been eradicated.

Last week’s worm-like spread of links to the mygener.im domain, and this week’s use of the ponbon.im and hunro.im domains to phish Facebook users’ credentials, have been a puzzling diversion from my normal malware analysis tasks. The mygener.im link that was spammed into Facebook accounts redirected users to a page hosted elsewhere that contained nothing but perplexingly obfuscated Javascript (with variables — shown at left — that appear to be comprised mostly of words in Latin) that, as far as I and other researchers here can tell, didn’t do anything at all.

But yesterday I decided that enough was enough, so I emailed the source of the .IM top-level domains — the Isle of Man domain name registry, nic.im — to ask what the heck was going on with all these .IM domains being used for malicious purposes. After all, as a result of the metric tons of malicious code and browser exploits I see that originate on Web sites registered in the .biz and .info top-level domains (TLD), I personally no longer have any confidence in a site registered under either of those TLDs. The big question in my mind was, is .IM on its way to becoming another lost cause?

As it turns out, .IM’s operators really jumped on the problem. The registry’s representative promptly replied to my messages, and the registry has suspended not only the three domains I’ve named, but twelve others I hadn’t heard of that were registered in the .IM TLD through the same intermediary and, in his words, “which we suspect were being used for malicious purposes.”

“We take the reputation of the IM registry seriously and police it to try and prevent events like this from arising,” he continues. “Where we can, we block users from registering via a variety of means and, in the main, this has to date been succesful [but] from time to time we have to make changes to our processes, and these events will act as a prompt to review them to see where we can tighten things up.”

So for now, Facebook users, breathe easy — until the bad guys find a domain registry willing to look the other way. And thank you, .IM, for showing us all how a responsible (and responsive) top-level domain NIC deals with criminals — by swiftly shutting them down.